From 1e6f03a45d992030b45edcb7260c8abde96f9f88 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 14 Mar 2025 12:01:17 +0100
Subject: [PATCH] dissect-image: relax image policy logic a bit

Previously if we found a verity signature partition in an image, and the
image policy required "verity" (but did not allow "signature") we'd
refuse the image. This is of course unnecessarily strict: if "verity" is
allowed, we can make use of the verity data, and ignore the signature
data.

hence, relax the rules here: when we pick up a partition and want to
test it against the policy, always consider all "weaker" uses too, maybe
they are allowed if the "stronger" users isn't.
---
 src/shared/dissect-image.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index c8e6f8f121f..660a05379f3 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1519,20 +1519,29 @@ static int dissect_image(
          * we don't check encryption requirements here, because we haven't probed the file system yet, hence
          * don't know if this is encrypted or not) */
         for (PartitionDesignator di = 0; di < _PARTITION_DESIGNATOR_MAX; di++) {
-                PartitionDesignator vi, si;
+                any = any || m->partitions[di].found;
+
+                /* Determine the verity protection level for this partition. */
                 PartitionPolicyFlags found_flags;
+                if (m->partitions[di].found) {
+                        found_flags = PARTITION_POLICY_ENCRYPTED|PARTITION_POLICY_UNPROTECTED|PARTITION_POLICY_UNUSED;
 
-                any = any || m->partitions[di].found;
+                        PartitionDesignator vi = partition_verity_of(di);
+                        if (vi >= 0 && m->partitions[vi].found) {
+                                found_flags |= PARTITION_POLICY_VERITY;
 
-                vi = partition_verity_of(di);
-                si = partition_verity_sig_of(di);
+                                PartitionDesignator si = partition_verity_sig_of(di);
+                                if (si >= 0 && m->partitions[si].found)
+                                        found_flags |= PARTITION_POLICY_SIGNED;
+                        }
+                } else
+                        found_flags = m->partitions[di].ignored ? PARTITION_POLICY_UNUSED : PARTITION_POLICY_ABSENT;
 
-                /* Determine the verity protection level for this partition. */
-                found_flags = m->partitions[di].found ?
-                        (vi >= 0 && m->partitions[vi].found ?
-                         (si >= 0 && m->partitions[si].found ? PARTITION_POLICY_SIGNED : PARTITION_POLICY_VERITY) :
-                         PARTITION_POLICY_ENCRYPTED|PARTITION_POLICY_UNPROTECTED) :
-                        (m->partitions[di].ignored ? PARTITION_POLICY_UNUSED : PARTITION_POLICY_ABSENT);
+                if (DEBUG_LOGGING) {
+                        _cleanup_free_ char *s = NULL;
+                        (void) partition_policy_flags_to_string(found_flags, /* simplify= */ false, &s);
+                        log_debug("Found for designator %s: %s", partition_designator_to_string(di), strna(s));
+                }
 
                 r = image_policy_check_protection(policy, di, found_flags);
                 if (r < 0)
-- 
2.47.3